listening to johoe is inspiring. but it appears to me that even if you're using a BIP32 wallet, you'll still be exposed to a hack from address reuse if you choose to accept multiple payments to a single address. for instance, if you accept 5 payments of 1BTC each to a single address, you will create 5 UTXO's of 1BTC each. if you then only spend 1BTC from that address, you will leave the other 4 UTXO's behind on that address which will force you to reuse that address later on when you decide to make another payment. so in that sense, HD wallets (BIP32) are still exposed if you're not careful and don't always force all tx's to empty an address. i understand that this is not directly related to the reuse of the r value that johoe talks about in this episode, but it's concerning to me nonetheless unless i have something wrong:

Did johoe talk about BIP32 wallets in the stream? I just scanned through, but couldn't find any reference to BIP32 wallets.However, AFAIK you're right. As soon as the hacker gets 2 different signatures with the same R value from the same address (e.g. from transactions, but could also be from signed messages (!) or a mixture of both), he can calculate the private key of the address and then spend all the funds still left on that address. So from 0 to 1 outgoing transactions (or publicly accessible signed messages) an address should be safe (from this specific problem). I think so far this is not related to HD/BIP32 wallets other than it's easier to not reuse a single address.

My prediction: gold and bitcoin will find equilibrium and become tidal locked.

can you put a time on that?

I think something is going to happen to gold soon. The price is being suppressed by counterfeit certificates. Rich people want real gold.

Bitcoin (and the free market) really need to find some peg. Gold ETFs have served that purpose to some degree, but Bitcoin will drag gold much higher as its ad-hoc digital twin. If I were to venture a guess it would have to do with whichever country has enough gold and is willing to acquire bitcoins as well. When people start losing faith in fiat currency and bonds, they will trade gold for bitcoins.

I can think of unthinkable scenarios regarding confiscation of gold or its ownership belonging to a designated class. Bitcoin would be the only way the rest of us can be licensed to hold gold.

Most likely it will occur organically as fiat currencies fail. Both bitcoin and gold will see huge swings in the next few year, but 2019 will be when they become pegged.

Any significantly advanced cryptocurrency is indistinguishable from Ponzi Tulips.

My prediction: gold and bitcoin will find equilibrium and become tidal locked.

can you put a time on that?

I think something is going to happen to gold soon. The price is being suppressed by counterfeit certificates. Rich people want real gold.

Bitcoin (and the free market) really need to find some peg. Gold ETFs have served that purpose to some degree, but Bitcoin will drag gold much higher as its ad-hoc digital twin. If I were to venture a guess it would have to do with whichever country has enough gold and is willing to acquire bitcoins as well. When people start losing faith in fiat currency and bonds, they will trade gold for bitcoins.

I can think of unthinkable scenarios regarding confiscation of gold or its ownership belonging to a designated class. Bitcoin would be the only way the rest of us can be licensed to hold gold.

Most likely it will occur organically as fiat currencies fail. Both bitcoin and gold will see huge swings in the next few year, but 2019 will be when they become pegged.

thanks for putting a time on it.

by 'tidal locked' and 'pegged', do you mean they have a very high correllation coefficient or something else? 'peg' sounds like something that is being actively enforced through market operations or redemption offerings, but I doubt that's what you mean, right?

My prediction: gold and bitcoin will find equilibrium and become tidal locked.

can you put a time on that?

I think something is going to happen to gold soon. The price is being suppressed by counterfeit certificates. Rich people want real gold.

Bitcoin (and the free market) really need to find some peg. Gold ETFs have served that purpose to some degree, but Bitcoin will drag gold much higher as its ad-hoc digital twin. If I were to venture a guess it would have to do with whichever country has enough gold and is willing to acquire bitcoins as well. When people start losing faith in fiat currency and bonds, they will trade gold for bitcoins.

I can think of unthinkable scenarios regarding confiscation of gold or its ownership belonging to a designated class. Bitcoin would be the only way the rest of us can be licensed to hold gold.

Most likely it will occur organically as fiat currencies fail. Both bitcoin and gold will see huge swings in the next few year, but 2019 will be when they become pegged.

thanks for putting a time on it.

by 'tidal locked' and 'pegged', do you mean they have a very high correllation coefficient or something else? 'peg' sounds like something that is being actively enforced through market operations or redemption offerings, but I doubt that's what you mean, right?

Yeah, I mean there are strong psychological attractions to precious metals. Bitcoin will prove itself as vault level security in your pocket. That will have an equally strong psychological effect. Superstitious thinking will identify gold with bitcoin as having complementary attributes.

Any significantly advanced cryptocurrency is indistinguishable from Ponzi Tulips.

Just the first large green candle of many! We have been talking about this 2015 pump for a while now.......

oh u must have finally bought.. time to sell until u sell at a loss

Just weeks ago u were talking shit like how u could have bought at $2 and u knew better buying a digital currency especially after it hit $1100 u vowed never to buy so high... yet at $300 its lowenough to buy even though $2 was expensive? Sounds like a professional bct trololol

LOL? WTF are you talking about all I have done on these forums is make unbias opinions on how the market is moving at any given time... I was a permabear until we kept bottoming around $300

I never said anything about $2 lol wtf I talk as close to the money as possible. I don't talk about a crash and I don't talk about the moon

disclaimer: I have been fully leveraged long at approx. $317~ but everyone who follows my posts knows that already

Unbiased opinions on how the market is moving at any given time? bahahaha

just a few months ago, fewcoins said (and I quote),

"All of those "buy walls" are sooo fake... I watch many of those people cancel ALL THE TIME! That's what happens with unregulated things!!! As a perma-bear, I can tell you BTC price chart looks exactly the same as a penny stock pump and dump that waves widly in the wind back n forth back n forth until its literally worth $0.00"

So he wants you to think (at some points) that bitcoin is going to zero while at other points it's just going to go up and up. He's either a lying troll or an imbecile.

And just today in the Bull Run Initiated Thread (just look in his posting history) he says:

"Amazing buy walls at 330 & 325 now too... We will be lucky to get coins around the 315-320 level again before this bounce really goes up"

So my question is, do you think fewcoins still expects bitcoin to go to zero before it goes up?

listening to johoe is inspiring. but it appears to me that even if you're using a BIP32 wallet, you'll still be exposed to a hack from address reuse if you choose to accept multiple payments to a single address. for instance, if you accept 5 payments of 1BTC each to a single address, you will create 5 UTXO's of 1BTC each. if you then only spend 1BTC from that address, you will leave the other 4 UTXO's behind on that address which will force you to reuse that address later on when you decide to make another payment. so in that sense, HD wallets (BIP32) are still exposed if you're not careful and don't always force all tx's to empty an address. i understand that this is not directly related to the reuse of the r value that johoe talks about in this episode, but it's concerning to me nonetheless unless i have something wrong:

Did johoe talk about BIP32 wallets in the stream? I just scanned through, but couldn't find any reference to BIP32 wallets.However, AFAIK you're right. As soon as the hacker gets the R value of 2 signatures from the same address (e.g. from transactions, but could also be from signed messages (!) or a mixture of both), he can calculate the private key of the address and then spend all the funds still left on that address. So from 0 to 1 outgoing transactions (or publicly accessible signed messages) an address should be safe (from this specific problem). I think so far this is not related to HD/BIP32 wallets other than it's easier to not reuse a single address.

i think they did mention HD wallets somewhere in the interview but no matter.

the solution presented was to not reuse addresses as a way to solve the repeat R value problem with a poor RNG or implementation bug. at that point i remember HD wallet use being recommended. that's fine and good but HD wallet marketing has given what i think is a somewhat false impression of preventing address reuse as in the example i gave above. in fact, i could see a major chain store owner assigning a specific fixed xpub address to each member store which they print out in QR code form for posting at their checkout stations. hundreds if not thousands of tx's would serve to expand the UTXO set associated with a particular stores address. if the owner then only spends a fraction of the BTC associated with that address repeatedly over time, that would expose the xpubkey, which would decrease security not necessarily to the same R value problem encountered with blockchain.info but perhaps to some other insecurity yet to be found.

point being that HD wallets will require much greater use scrutiny than initially thought.

I think something is going to happen to gold soon. The price is being suppressed by counterfeit certificates. Rich people want real gold.

I don't think Rich people want gold, I think it's a part of their overall portfolio, they own paper gold. Rich people believe in the markets, real estate, and the USD because it's served them so well. They want diversity. In some cases they want to hide their money, but gold isn't a good way to do that. We all know the advantages of Bitcoin over gold and in 10 years I believe most rich people will have BTC as a part of their overall portfolio.

I think something is going to happen to gold soon. The price is being suppressed by counterfeit certificates. Rich people want real gold.

I don't think Rich people want gold, I think it's a part of their overall portfolio, they own paper gold. Rich people believe in the markets, real estate, and the USD because it's served them so well. They want diversity. In some cases they want to hide their money, but gold isn't a good way to do that. We all know the advantages of Bitcoin over gold and in 10 years I believe most rich people will have BTC as a part of their overall portfolio.

Or alternatively, in 10 years people with bitcoin in their portfolio will be rich.

ordinary goldbugs and speculators having to liquidate tons of physical gold at local coin dealers is going to be a sight to behold.

Same holds true for Bitcoin, BTW. Holding both, and needing to at some point re-initiate a revenue stream, I'll probably draw down my BTC holding more than my phyz ones assuming that both maintain the current unhappy situation of being at an inopportune selling point over the next few years.

Your scenario is nothing especially new. We saw it during the 2008 crisis. Plenty of people did not leave themselves enough of a buffer and were forced to liquidate whatever they had. In some cases this was PMs and the impact was noticeable. My portfolio suffered, but not to nearly the extent that my more mainstream counterparts who were heavily into mainstream instruments did. Many enjoyable and productive conversations around the water-cooler ensued.

listening to johoe is inspiring. but it appears to me that even if you're using a BIP32 wallet, you'll still be exposed to a hack from address reuse if you choose to accept multiple payments to a single address. for instance, if you accept 5 payments of 1BTC each to a single address, you will create 5 UTXO's of 1BTC each. if you then only spend 1BTC from that address, you will leave the other 4 UTXO's behind on that address which will force you to reuse that address later on when you decide to make another payment. so in that sense, HD wallets (BIP32) are still exposed if you're not careful and don't always force all tx's to empty an address. i understand that this is not directly related to the reuse of the r value that johoe talks about in this episode, but it's concerning to me nonetheless unless i have something wrong:

Did johoe talk about BIP32 wallets in the stream? I just scanned through, but couldn't find any reference to BIP32 wallets.However, AFAIK you're right. As soon as the hacker gets the R value of 2 signatures from the same address (e.g. from transactions, but could also be from signed messages (!) or a mixture of both), he can calculate the private key of the address and then spend all the funds still left on that address. So from 0 to 1 outgoing transactions (or publicly accessible signed messages) an address should be safe (from this specific problem). I think so far this is not related to HD/BIP32 wallets other than it's easier to not reuse a single address.

Address reuse is fine, not advised but fine regardless. The issue is if you use the exact same R value for 2 different signatures with the same private key. This an attribute of the DSA algorthim itself, and is not specific to ECDSA or any other DSA variant. As long as you use a truly random R value, then the odds of repeating an R value is less than someone randomly creating a private key that signs a specific address. The problem above is blockchain.info and other wallet software has at times not created random R values or used k values that are guessable, which is contrary to the DSA specification. Software that creates a truly random R value should never repeat an R value given the large numbers involved.

This is a great description of DSA and ECDSA if you are interested. It provides all the math required to understand Elliptical Curves and DSA , but in a descriptive manner for non-mathmatitions.

Towards the end it describes the R-reuse issue in the context of a hack on Sony where Sony used the same R value for everything, in gross violation of DSA's spec.

Quote from: article

Now I’ll discuss on how and why the ECDSA signatures that Sony used in the PS3 were faulty and how it allowed us to gain access to their private key.

So you remember the equations needed to generate a signature.. R = k*G and S= k^-1(z + dA*R) mod p.. well this equation’s strength is in the fact that you have one equation with two unknowns (k and dA) so there is no way to determine either one of those. However, the security of the algorithm is based on its implementation and it’s important to make sure that ‘k‘ is randomly generated and that there is no way that someone can guess, calculate, or use a timing attack or any other type of attack in order to find the random value ‘k‘. But Sony made a huge mistake in their implementation, they used the same value for ‘k‘ everywhere, which means that if you have two signatures, both with the same k, then they will both have the same R value, and it means that you can calculate k using two S signatures of two files with hashes z and z’ and signatures S and S’ respectively :

Once you know k, then the equation for S because one equation with one unknown and is then easily resolved for dA :

dA = (S*k – z) / R

Once you know the private key dA, you can now sign your files and the PS3 will recognize it as an authentic file signed by Sony. This is why it’s important to make sure that the random number used for generating the signature is actually “cryptographically random”. This is also the reason why it is impossible to have a custom firmware above 3.56, simply because since the 3.56 version, Sony have fixed their ECDSA algorithm implementation and used new keys for which it is impossible to find the private key.. if there was a way to find that key, then the security of every computer, website, system may be compromised since a lot of systems are relying on ECDSA for their security, and it is impossible to crack.

There is another recent attack on ECDSA specifically where an attacker with something on the order of 2^33 signatures for a private key might be able to back out the private key itself. But that is a gross usage of reuse, to put in context you would require more signatures than the total number of bitcoin transactions so far, all on a single address.

That said it demonstrates that ECDSA is still relatively new and not completely understood, it is possible (likely?) that more attacks or even fundamental flaws on ECDSA will be uncovered. This is why bitcoin has 2 forms of encryption protecting an address (a hash and a signature) and why every address I use that I care about are zero spend addresses, and thus still protected by both forms of encryption.

listening to johoe is inspiring. but it appears to me that even if you're using a BIP32 wallet, you'll still be exposed to a hack from address reuse if you choose to accept multiple payments to a single address. for instance, if you accept 5 payments of 1BTC each to a single address, you will create 5 UTXO's of 1BTC each. if you then only spend 1BTC from that address, you will leave the other 4 UTXO's behind on that address which will force you to reuse that address later on when you decide to make another payment. so in that sense, HD wallets (BIP32) are still exposed if you're not careful and don't always force all tx's to empty an address. i understand that this is not directly related to the reuse of the r value that johoe talks about in this episode, but it's concerning to me nonetheless unless i have something wrong:

Did johoe talk about BIP32 wallets in the stream? I just scanned through, but couldn't find any reference to BIP32 wallets.However, AFAIK you're right. As soon as the hacker gets the R value of 2 signatures from the same address (e.g. from transactions, but could also be from signed messages (!) or a mixture of both), he can calculate the private key of the address and then spend all the funds still left on that address. So from 0 to 1 outgoing transactions (or publicly accessible signed messages) an address should be safe (from this specific problem). I think so far this is not related to HD/BIP32 wallets other than it's easier to not reuse a single address.

Sorry for being stupid. Thank you, rocks for pointing that out. Only with the same R value of 2 different signatures from the same address (and thus public/private key) the hacker would be able to calculate the private key. As the R value is a part of the signature, that would be a big problem, otherwise. However, I remember reading something about similiar or related R values from which the private key can be calculated, too (by using a system of linear equations). Probably that is the thing, that confused me.

I think something is going to happen to gold soon. The price is being suppressed by counterfeit certificates. Rich people want real gold.

I don't think Rich people want gold, I think it's a part of their overall portfolio, they own paper gold. Rich people believe in the markets, real estate, and the USD because it's served them so well. They want diversity. In some cases they want to hide their money, but gold isn't a good way to do that. We all know the advantages of Bitcoin over gold and in 10 years I believe most rich people will have BTC as a part of their overall portfolio.

Or alternatively, in 10 years people with bitcoin in their portfolio will be rich.